Example 4. VPN connection with road warrior
Juliet works as a seller at Example Company, Inc. She does a lot of travelling, so she has a laptop with a VPN client. This enables her to connect to the Denver office network in a secure way. To increase security even more, she is required to identify herself to a RADIUS server with the IP address 10.72.1.5, to be allowed to connect to the firewall. She also wants to be able to telnet to a computer at the Colorado Springs office, which is enabled by setting up a relay in Company Firewall 2.
Both firewalls need additional configuration for this.
Denver office
Begin with Company Firewall 1 and start configuration on the RADIUS page under Basic Configuration. The RADIUS server has the IP address 10.72.1.5 .
The firewall will need at least one X.509 certificate to manage the RADIUS authentication. You create and upload certificates on the Certificates page.
Then, go to the Eth0 page under Networkand create an Alias for the inside of the firewall. The IP address used here must not be used for any other computer on the network.
This alias is used for the authentication server of the firewall, which is the part that connects to the RADIUS server to authenticate users.
Then go to the Authentication Server page under Virtual Private Networks. An IP address for the firewall is selected, which is used for Juliet's authentication. Select 10.72.1.2, an alias for the inside interface. A certificate for the authentication server is also required. Select a certificate from the ones created on the Certificates page
Road warriors must use the authentication type X.509 certificates, which means that an X.509 certificate for the firewall itself must be created (and, of course, certificates for each laptop wanting to connect to it). Go to the X.509 Certificates page and select from the certificates created on the Certificates page.
Juliet's laptop must be defined on the IPsec Peers page. Remember to turn RADIUS on.
Press the Change/View button to load the X.509 certificate for Juliet's laptop.
On the IPsec Tunnels page, define the new IPsec tunnel. It consists of the Denver office network and Juliet's laptop. The laptop's IP will probably be NAT:ed, but we don't know that for sure, so we select Remote/private address, which will allow public as well as private IP addresses for Juliet's laptop.
A new network must be defined on the Networks and Computers page to make rules for Juliet's laptop. The network, Internet-VPN, must have the interface '-' to work with VPN.
Add Rules (No. 12-17) to allow Juliet to work on the office network.
With road warriors connecting to the firewall, blacklisting is possible. Configure blacklisting parameters on the IPSec Settings page.
Colorado office
Juliet wants to telnet to a workstation with the IP address 174.25.30.3 on the Colorado Springs office network. Enable this by setting up a relay listening to the outside of Company Firewall 2. Since this traffic should be encrypted, too, a VPN tunnel between the laptop and the firewall should be defined. First, select a certificate for Company Firewall 2 on the X.509 Certificates page.
After that, define Juliet's laptop on the IPsec Peers page for Company Firewall 2. The X.509 certificate to Juliet's laptop is imported as before.
A new IPsec tunnel is required, in this case from the laptop to the firewall itself. This is done on the IPsec Tunnels page. As we don't know for sure if Juliet's laptop will have a NATed IP address, we select Remote/private address as the Remote side.
Finally, define a TCP relay on the Relays page, listening to a high port which is reserved for this telnet connection. The traffic is relayed to port 23 on the workstation.
